We're currently implementing "autoconfig" for Thunderbird, which is
intended to be able to automatically figure out the mail settings needed
to configure an email account, like hostnames, ports, SSL on/off, secure
auth algo etc.. All that the user should need to provide is his real
name, email address and password. We take the domain of the email
address and try to find the configuration from that.
Please see
https://wiki.mozilla.org/Thunderbird:Autoconfiguration#Implementation
I think that's fairly secure (and specifically designed to be). We try
to get the config only by contacting servers at the original domain
example.net (or Mozilla), and that should be under the control of the
mail provider Example Corp. We also try to do that only via secure
mechanisms (which is a pain, because it rules out DNS).
philor, during review, asked for a "formal security review" by the
Mozilla Security Group, so that's what this post is about.
The risk here is that we find and offer a configuration that contains
mail servers operated by an attacker. E.g. Emily wants to set up
em...@example.net, but we find a configuration for example.net that
includes imap.evil.com. Then, evil.com would gain Emily's email
password. Or imap.example.net offers SSL, but the attacker manages to
return a config without SSL nor password encryption, and then using a
MITM to read the cleartext password.
Mitigating factors are:
* There is a small time window for the attacker. It's all only about
the account setup wizard, and setting up an account is a very rare
action, 2 times per year roughly on average.
* The attacker has to run a MITM or DNS attack of some sort.
* We show the configuration (hostnames etc.) to the user before we
create the account, and do not send the password before the user
clicked "Create account".
* The greatest possible danger here is a loss of the email password.
Addons/Extensions or downloads of EXEs pose a *far* far larger
risk. Therefore, we should be careful, but not overly hesitant.
Philor came up with one possibly problematic case: A webhoster which is
allowing customers to register subdomains. So, a customers has
f...@hoster.com and fred.hoster.com. How, if the attacker registers
autoconfig.hoster.com, it can redirect Fred to imap.evil.com and get the
password.
I can see two possible counter-measures for that:
1) The webhoster must block the autoconfig subdomain or register/use it
himself.
2) We also contact https://www.<domain>/autoconfig/mail/mozilla.xml
/before/ we contact autoconfig.<domain>.
Upside of 2) is that it's a bit easier to set up (no new host). Downside
is that it creates more 404 spam in the hoster's logfile (same as
/favicon.ico, which I hate).
Microsoft has a very, very similar feature in Outlook / Exchange 2007,
which also contacts "https://<domain>/autodiscover/autodiscover.xml" and
"https://autodiscover.<domain>/autodiscover/autoodiscover.xml", so they
do exactly the same (same idea independently), and they used 2) above.
(There are some differences in the XML files, so dropping our own format
in favor of Microsoft's is not a good idea, but I plan to implement the
autodiscover as well, in case we talk to Exchange 2007 servers).
Somebody can see other problematic situations?
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
